Download templates and ISOs via HTTPS

[Aurélien <fo...@gmail.com>]

Hello,

I’m investigating an issue on CloudStack 4.8.0, which is I believe
well described in
https://issues.apache.org/jira/browse/CLOUDSTACK-1475.

I’m trying to add my ISO from, for example:
https://releases.rancher.com/os/latest/rancheros.iso

The problem is that I’m using a custom SSL certificate, and because of
this, the java instance on the SSVM (and CPVM) is started with a
custom keystore; doing so also overrides the default certificate trust
store, and the traditional certificate validation mechanisms, so I get
the error (sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target).

Would il be possible and advisable to add the contents of the default
certificate store (Option 2 in
https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
to the custom store when a custom SSL certificate is activated ?

If so (i’m relatively new to CloudStack’s code) where should I peek in
the System VM to add the custom import commands ?

Is there any existing issue you are aware of that addresses this issue
? In my opinion, if there isn’t, we should open one.

What do you think ?

Thanks !

Best regards,
-- 
Aurélien Guillaume

Re: Download templates and ISOs via HTTPS

[Aurélien <fo...@gmail.com>]

Hello,

Thanks for the patch, it works here too. I added a LGTM on the PR.

Best regards,
Aurélien

On Fri, May 20, 2016 at 2:49 PM, Milamber <mi...@apache.org> wrote:
> Hello,
>
> I confirm this issue. The keystore used by the Java instance of SSVM have
> only the custom certs inside (root, realhostip, cross, intermed and
> cpvmcertificat).
>
> So when the SSVM try to download a HTTPS url, the JVM cannot validate the
> SSL signs.
>
> I've posted the PR 1555 to fix this. I've tested this patch with success on
> my test installation.
>
> Milamber
>
> https://github.com/apache/cloudstack/pull/1555
>
>
> On 20/05/2016 12:47, Aurélien wrote:
>>
>> Hello,
>>
>> In fact, yes, and everything inside CloudStack is working fine (I can
>> connect to CPVM correctly, the right certificate is presented, etc).
>> The only problem with this procedure is that the certificates you
>> upload are put in a custom keystore. This keystore contains only the
>> key, chain and root certificate uploaded via the API.
>>
>> When a custom keystore is provided, the default keystore (ie, the one
>> containing generally trusted root CAs included in common browsers) is
>> not loaded, and thus the only root CA that would be trusted is the one
>> corresponding to the uploaded wildcard. In my case, I want users to be
>> able to add templates hosted on HTTPS servers, which present SSL
>> certificates from various root CAs.
>>
>> I think the contents of the “realhostip” keystore should be:
>> - contents the default keystore
>> - and, additionnally uploaded cert, chain, root and key.
>>
>> Best regards,
>> Aurélien
>>
>> On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek
>> <ab...@shapeblue.com> wrote:
>>>
>>> Have you followed the procedure documented here
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
>>>
>>>
>>>
>>>
>>> On 19/05/16, 11:01 PM, "Aurélien" <fo...@gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I’m investigating an issue on CloudStack 4.8.0, which is I believe
>>>> well described in
>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
>>>>
>>>> I’m trying to add my ISO from, for example:
>>>> https://releases.rancher.com/os/latest/rancheros.iso
>>>>
>>>> The problem is that I’m using a custom SSL certificate, and because of
>>>> this, the java instance on the SSVM (and CPVM) is started with a
>>>> custom keystore; doing so also overrides the default certificate trust
>>>> store, and the traditional certificate validation mechanisms, so I get
>>>> the error (sun.security.validator.ValidatorException: PKIX path
>>>> building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find valid certification path to requested target).
>>>>
>>>> Would il be possible and advisable to add the contents of the default
>>>> certificate store (Option 2 in
>>>>
>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
>>>> to the custom store when a custom SSL certificate is activated ?
>>>>
>>>> If so (i’m relatively new to CloudStack’s code) where should I peek in
>>>> the System VM to add the custom import commands ?
>>>>
>>>> Is there any existing issue you are aware of that addresses this issue
>>>> ? In my opinion, if there isn’t, we should open one.
>>>>
>>>> What do you think ?
>>>>
>>>> Thanks !
>>>>
>>>> Best regards,
>>>> --
>>>> Aurélien Guillaume
>>>
>>> abhinandan.prateek@shapeblue.com
>>> www.shapeblue.com
>>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>>> @shapeblue
>>>
>>>
>>
>>
>



-- 
Aurélien Guillaume

Re: Download templates and ISOs via HTTPS

[Milamber <mi...@apache.org>]

Hello,

I confirm this issue. The keystore used by the Java instance of SSVM 
have only the custom certs inside (root, realhostip, cross, intermed and 
cpvmcertificat).

So when the SSVM try to download a HTTPS url, the JVM cannot validate 
the SSL signs.

I've posted the PR 1555 to fix this. I've tested this patch with success 
on my test installation.

Milamber

https://github.com/apache/cloudstack/pull/1555

On 20/05/2016 12:47, Aur�lien wrote:
> Hello,
>
> In fact, yes, and everything inside CloudStack is working fine (I can
> connect to CPVM correctly, the right certificate is presented, etc).
> The only problem with this procedure is that the certificates you
> upload are put in a custom keystore. This keystore contains only the
> key, chain and root certificate uploaded via the API.
>
> When a custom keystore is provided, the default keystore (ie, the one
> containing generally trusted root CAs included in common browsers) is
> not loaded, and thus the only root CA that would be trusted is the one
> corresponding to the uploaded wildcard. In my case, I want users to be
> able to add templates hosted on HTTPS servers, which present SSL
> certificates from various root CAs.
>
> I think the contents of the \u201crealhostip\u201d keystore should be:
> - contents the default keystore
> - and, additionnally uploaded cert, chain, root and key.
>
> Best regards,
> Aur�lien
>
> On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek
> <ab...@shapeblue.com> wrote:
>> Have you followed the procedure documented here https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
>>
>>
>>
>>
>> On 19/05/16, 11:01 PM, "Aur�lien" <fo...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I\u2019m investigating an issue on CloudStack 4.8.0, which is I believe
>>> well described in
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
>>>
>>> I\u2019m trying to add my ISO from, for example:
>>> https://releases.rancher.com/os/latest/rancheros.iso
>>>
>>> The problem is that I\u2019m using a custom SSL certificate, and because of
>>> this, the java instance on the SSVM (and CPVM) is started with a
>>> custom keystore; doing so also overrides the default certificate trust
>>> store, and the traditional certificate validation mechanisms, so I get
>>> the error (sun.security.validator.ValidatorException: PKIX path
>>> building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target).
>>>
>>> Would il be possible and advisable to add the contents of the default
>>> certificate store (Option 2 in
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
>>> to the custom store when a custom SSL certificate is activated ?
>>>
>>> If so (i\u2019m relatively new to CloudStack\u2019s code) where should I peek in
>>> the System VM to add the custom import commands ?
>>>
>>> Is there any existing issue you are aware of that addresses this issue
>>> ? In my opinion, if there isn\u2019t, we should open one.
>>>
>>> What do you think ?
>>>
>>> Thanks !
>>>
>>> Best regards,
>>> --
>>> Aur�lien Guillaume
>> abhinandan.prateek@shapeblue.com
>> www.shapeblue.com
>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>> @shapeblue
>>
>>
>
>

Re: Download templates and ISOs via HTTPS

[Aurélien <fo...@gmail.com>]

Hello,

In fact, yes, and everything inside CloudStack is working fine (I can
connect to CPVM correctly, the right certificate is presented, etc).
The only problem with this procedure is that the certificates you
upload are put in a custom keystore. This keystore contains only the
key, chain and root certificate uploaded via the API.

When a custom keystore is provided, the default keystore (ie, the one
containing generally trusted root CAs included in common browsers) is
not loaded, and thus the only root CA that would be trusted is the one
corresponding to the uploaded wildcard. In my case, I want users to be
able to add templates hosted on HTTPS servers, which present SSL
certificates from various root CAs.

I think the contents of the “realhostip” keystore should be:
- contents the default keystore
- and, additionnally uploaded cert, chain, root and key.

Best regards,
Aurélien

On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek
<ab...@shapeblue.com> wrote:
> Have you followed the procedure documented here https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
>
>
>
>
> On 19/05/16, 11:01 PM, "Aurélien" <fo...@gmail.com> wrote:
>
>>Hello,
>>
>>I’m investigating an issue on CloudStack 4.8.0, which is I believe
>>well described in
>>https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
>>
>>I’m trying to add my ISO from, for example:
>>https://releases.rancher.com/os/latest/rancheros.iso
>>
>>The problem is that I’m using a custom SSL certificate, and because of
>>this, the java instance on the SSVM (and CPVM) is started with a
>>custom keystore; doing so also overrides the default certificate trust
>>store, and the traditional certificate validation mechanisms, so I get
>>the error (sun.security.validator.ValidatorException: PKIX path
>>building failed:
>>sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>find valid certification path to requested target).
>>
>>Would il be possible and advisable to add the contents of the default
>>certificate store (Option 2 in
>>https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
>>to the custom store when a custom SSL certificate is activated ?
>>
>>If so (i’m relatively new to CloudStack’s code) where should I peek in
>>the System VM to add the custom import commands ?
>>
>>Is there any existing issue you are aware of that addresses this issue
>>? In my opinion, if there isn’t, we should open one.
>>
>>What do you think ?
>>
>>Thanks !
>>
>>Best regards,
>>--
>>Aurélien Guillaume
>
> abhinandan.prateek@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>



-- 
Aurélien Guillaume

Re: Download templates and ISOs via HTTPS

[Abhinandan Prateek <ab...@shapeblue.com>]

Have you followed the procedure documented here https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name




On 19/05/16, 11:01 PM, "Aurélien" <fo...@gmail.com> wrote:

>Hello,
>
>I’m investigating an issue on CloudStack 4.8.0, which is I believe
>well described in
>https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
>
>I’m trying to add my ISO from, for example:
>https://releases.rancher.com/os/latest/rancheros.iso
>
>The problem is that I’m using a custom SSL certificate, and because of
>this, the java instance on the SSVM (and CPVM) is started with a
>custom keystore; doing so also overrides the default certificate trust
>store, and the traditional certificate validation mechanisms, so I get
>the error (sun.security.validator.ValidatorException: PKIX path
>building failed:
>sun.security.provider.certpath.SunCertPathBuilderException: unable to
>find valid certification path to requested target).
>
>Would il be possible and advisable to add the contents of the default
>certificate store (Option 2 in
>https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
>to the custom store when a custom SSL certificate is activated ?
>
>If so (i’m relatively new to CloudStack’s code) where should I peek in
>the System VM to add the custom import commands ?
>
>Is there any existing issue you are aware of that addresses this issue
>? In my opinion, if there isn’t, we should open one.
>
>What do you think ?
>
>Thanks !
>
>Best regards,
>-- 
>Aurélien Guillaume

abhinandan.prateek@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue